Cybersecurity Maturity Model Certification (CMMC) 2.0 – What Federal Contractors Need To Know

Vandeventer Black LLP
Contact

On November 4, 2021, the Department of Defense (DoD) issued an Advanced Notice of Proposed Rulemaking by releasing the latest and highly anticipated iteration of the CMMC program – CMMC 2.0.  According to the DoD, the streamlined version of CMMC 2.0:

  • Cuts red tape for small and medium-sized businesses
  • Sets priorities for protecting DoD information
  • Reinforces cooperation between the DoD and industry in addressing evolving cyber threats

The Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) was originally introduced in 2020 (CMMC 1.0) and was intended to address widespread concerns about the loss of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the Defense Industrial Base (DIB).  Although never fully implemented, CMMC 1.0 built upon DFARS clause 252.204-7012, which required federal contractors to maintain adequate security on all covered contractor information systems and to report all cybersecurity incidents to the government within 72 hours.  CMMC 1.0 went a step further by setting up a tiered system of requirements across five levels ranging from Level 1, (representing basic cyber hygiene) to Level 5 (representing advanced progressive cyber hygiene).  Unlike the DFARS clause which permitted federal contractors to “self-certify” their compliance utilizing a Plan of Action and Milestones (POA&M), CMMC 1.0 required government contractors to be certified by CMMC Third Party Assessment Organizations (C3PAOs) for compliance with the appropriate maturity level.

STREAMLINED REQUIREMENTS – REDUCED NUMBER OF MATURITY LEVELS

While CMMC 1.0 was based on 5 cybersecurity model maturity levels, CMMC 2.0 has reduced those levels to three:

  • Level 1 – Foundational
  • Level 2 – Advanced
  • Level 3 – Expert

As with CMMC 1.0, the three levels are based on specified practices with increasing sophistication, each level including the practices from the previous level:

  • Level 1 – 17 practices (aligned with FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems)
  • Level 2 – 110 practices (aligned with NIST SP 800-171 + Level 1 requirements)
  • Level 3 – 110+ practices (aligned with NIST SP 800-172 + Level 2 requirements)

TIERED ASSESSMENTS

While CMMC 1.0 required third-party assessments for all levels, CMMC 2.0 has reduced the requirement for third-party assessments, leveraging self-assessments in certain circumstances:

  • Level 1 – Annual self-assessments will be permitted with company self-certification of compliance.
  • Level 2 – Two-tiered: Triennial third-party assessments for “critical national security information” and annual self-assessments (as in Level 1) for other programs. The third-party assessments at this level will be conducted by the C3PAOs under the original CMMC 1.0 model.
  • Level 3 – A government-level assessment will be required, likely by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Additionally, under certain circumstances, which have yet to be defined, the DoD intends to allow contractors to continue to utilize POA&Ms to achieve certification compliance as a prerequisite to receiving a contract award provided they contain specific deadlines for completion of remaining items. The DoD has also included flexibility in requirements, intending to implement a process to waive CMMC requirements under certain limited circumstances.  The specifics of those requirements will be implemented as part of the rulemaking process.

NEXT STEPS

CMMC 2.0 will not become effective until the federal rulemaking process is complete, which could take a year or more.  The intent is for CMMC 2.0 to be effective as soon as that process is complete.  As part of the rulemaking process, the government will provide a public comment period, so additional changes could be made as part of that process.  In the meantime, DoD intends to suspend the current CMMC Piloting efforts and will not approve the inclusion of CMMC requirements in any DoD solicitation.

Despite this, contractors should continue to enhance their cybersecurity posture while rulemaking is underway and be prepared to comply with CMMC 2.0 once rulemaking is complete. The DoD has indicated that it is exploring opportunities to provide incentives to contractors who voluntarily obtain a CMMC certification in the interim.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Vandeventer Black LLP | Attorney Advertising

Written by:

Vandeventer Black LLP
Contact
more
less

Vandeventer Black LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.